openstack
/
bifrost
Code Issues Proposed changes

Tighten permissions for PXE directories 

Make the HTTP directory not world readable by default.
Images may contain secrets, so regular users should not read them.

Add nginx and dnsmasq to the ironic group so that they can read ironic
files that are group accessible.

Change-Id: Iaa8585fb48e5db6c0d5063dca0d84c9d2300f0c9
This commit is contained in:
Dmitry Tantsur 2022-01-11 12:22:11 +01:00
parent 5fd6251f22
commit 3cb96f1b67
6 changed files with 45 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
playbooks/roles/bifrost-ironic-install/defaults/main.yml
View File

@ -11,6 +11,7 @@ fast_track: true
tftp_boot_folder: /tftpboot tftp_boot_folder: /tftpboot
http_boot_folder: /var/lib/ironic/httpboot http_boot_folder: /var/lib/ironic/httpboot
boot_folder_permissions: "0750"
ironic_tftp_master_path: /var/lib/ironic/master_images ironic_tftp_master_path: /var/lib/ironic/master_images
staging_drivers_include: false staging_drivers_include: false
file_url_port: "8080" file_url_port: "8080"

22
playbooks/roles/bifrost-ironic-install/tasks/bootstrap.yml
View File

@ -102,10 +102,21 @@
- name: "Create an ironic service group" - name: "Create an ironic service group"
group: group:
name: "ironic" name: "ironic"
- name: "Create an ironic service user" - name: "Create an ironic service user"
user: user:
name: "ironic" name: "ironic"
group: "ironic" group: "ironic"
- name: "Add nginx and dnsmasq to the ironic group"
user:
name: "{{ item }}"
groups: "ironic"
append: yes
loop:
- "{{ nginx_user }}"
- dnsmasq
- name: "Ensure /etc/ironic exists" - name: "Ensure /etc/ironic exists"
file: file:
name: "/etc/ironic" name: "/etc/ironic"
@ -113,6 +124,7 @@
owner: "ironic" owner: "ironic"
group: "ironic" group: "ironic"
mode: 0755 mode: 0755
# Note(TheJulia): The rootwrap copies will need to be re-tooled # Note(TheJulia): The rootwrap copies will need to be re-tooled
# to possibly directly retreive current files if a source install # to possibly directly retreive current files if a source install
# is not utilized. # is not utilized.
@ -261,8 +273,8 @@
file: file:
path: "{{ dnsmasq_additional_hostsdir }}" path: "{{ dnsmasq_additional_hostsdir }}"
state: directory state: directory
owner: "root" owner: "dnsmasq"
group: "root" group: "ironic"
mode: 0755 mode: 0755
when: dnsmasq_additional_hostsdir is defined when: dnsmasq_additional_hostsdir is defined
@ -270,8 +282,8 @@
file: file:
path: "{{ dnsmasq_dhcp_hostsdir }}" path: "{{ dnsmasq_dhcp_hostsdir }}"
state: directory state: directory
owner: "root" owner: "dnsmasq"
group: "root" group: "ironic"
mode: 0755 mode: 0755
- name: "Retrieve interface IP informations" - name: "Retrieve interface IP informations"
@ -392,7 +404,7 @@
state: directory state: directory
mode: 0750 mode: 0750
owner: "ironic" owner: "ironic"
group: "{{ nginx_user }}" group: "ironic"
loop: loop:
- "/var/lib/ironic" - "/var/lib/ironic"
- "/var/lib/ironic/master_images" - "/var/lib/ironic/master_images"

20
playbooks/roles/bifrost-ironic-install/tasks/create_tftpboot.yml
View File

@ -15,11 +15,27 @@
--- ---
# TODO(TheJulia): The pxelinux folder is statically coded in ironic. # TODO(TheJulia): The pxelinux folder is statically coded in ironic.
# For now, we need to use it, but we can patch that. # For now, we need to use it, but we can patch that.
- name: "Set up PXE and iPXE folders" - name: "Set up PXE folders"
file: name={{ item }} owner=ironic group=ironic state=directory mode=0755 file:
name: "{{ item }}"
owner: ironic
group: ironic
state: directory
# FIXME(dtantsur): dnsmasq cannot work if the files are not world readable
# or owned by it, I don't understand why.
mode: 0755
loop: loop:
- "{{ tftp_boot_folder }}" - "{{ tftp_boot_folder }}"
- "{{ tftp_boot_folder }}/pxelinux.cfg" - "{{ tftp_boot_folder }}/pxelinux.cfg"
- name: "Set up HTTP folders"
file:
name: "{{ item }}"
owner: ironic
group: ironic
state: directory
mode: "{{ boot_folder_permissions }}"
loop:
- "{{ http_boot_folder }}" - "{{ http_boot_folder }}"
- "{{ http_boot_folder }}/pxelinux.cfg" - "{{ http_boot_folder }}/pxelinux.cfg"

2
playbooks/roles/bifrost-ironic-install/tasks/inspector_bootstrap.yml
View File

@ -111,7 +111,7 @@
dest=/etc/ironic-inspector/inspector.conf dest=/etc/ironic-inspector/inspector.conf
owner=ironic owner=ironic
group=ironic group=ironic
mode=0740 mode=0640
- name: "Inspector - Create the log directories (if requested)" - name: "Inspector - Create the log directories (if requested)"
file: file:
name: "{{ item }}" name: "{{ item }}"

5
releasenotes/notes/perm-8b4236c6eddf1f1f.yaml Normal file
View File

@ -0,0 +1,5 @@
---
fixes:
- |
The TFTP and HTTP directories are no longer world-readable by default.
Set ``boot_folder_permissions`` to override.

6
scripts/collect-test-info.sh
View File

@ -82,9 +82,9 @@ sudo journalctl -u uwsgi@keystone-public &> ${LOG_LOCATION}/keystone-public.log
# Copy PXE information # Copy PXE information
mkdir -p ${LOG_LOCATION}/pxe/ mkdir -p ${LOG_LOCATION}/pxe/
ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt sudo ls -lR /var/lib/ironic/httpboot > ${LOG_LOCATION}/pxe/listing.txt
cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/ sudo bash -c "cp -aL /var/lib/ironic/httpboot/*.ipxe ${LOG_LOCATION}/pxe/"
cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/ sudo cp -aL /var/lib/ironic/httpboot/pxelinux.cfg/ ${LOG_LOCATION}/pxe/
# Copy baremetal information # Copy baremetal information
source $HOME/openrc bifrost source $HOME/openrc bifrost